Description

ext/mysqlnd/mysqlnd.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 uses a client SSL option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152.

Remediation

References

CVE-2015-8838

Related Vulnerabilities

WordPress Plugin Kama WP Smiles Unspecified Vulnerability (1.8.1)

WordPress Plugin FlyingPress Security Bypass (3.9.6)

WordPress Plugin Compact WP Audio Player Multiple Vulnerabilities (1.9.6)

Angular Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-4231)

Oracle Application Server Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2006-0586)

Severity

Medium

Classification

CVE-2015-8838 CWE-284 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Missing Update Known Vulnerabilities